On May 25, 2010 , the US Securities and Exchange Commission (the “Commission” or the “SEC”) issued its final rule implementing the whistleblower bounty provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Act”). See Pub. L. 111-203 (July 21, 2010) § 922 (codifying whistleblower bounty provisions into Section 21F of the Securities Exchange Act of 1934); SEC Rel. No. 34-64545 (May 25, 2011) (the “Issuing Release,” including at 241-79 the “Final Rule”). The Final Rule implements provisions in the Act that require the Commission to award a bounty to eligible whistleblowers in cases where enforcement actions include monetary sanctions collected above $1 million and a whistleblower has made a qualifying report to the Commission. In particular, the Commission must award a whistleblower bounty of between 10% and 30% of the monetary sanctions in the Commission enforcement action and related enforcement actions.
For corporations, the most significant aspect of the Final Rule is what it does not require—whistleblowers are not required to report wrongdoing internally within the company as a condition to being eligible for an award. After the rule proposed in November 2010 (the “Proposed Rule”) did not include such a requirement, many companies from a wide range of industries submitted written comments to the SEC expressing concerns that the absence of such a requirement would undercut companies’ internal compliance programs. Despite these comments, the Commission declined to take this approach. Instead, the Commission, building on the approach in the Proposed Rule, included some additional incentives it believed would encourage internal reporting.
Because the Final Rule allows whistleblowers to go directly to the Commission, it raises a question left unanswered in the Issuing Release as to whether a company can still receive credit under Seaboard for independently discovering and voluntarily reporting wrongdoing to the Commission where, unbeknownst to the company, a whistleblower has already made a report. Under the policy formalized in 2001 in the Commission’s Seaboard report, voluntary self-reporting is a factor determining the level of credit a company may receive in a Commission action. Under Seaboard, the degree of credit can range “from the extraordinary step of taking no enforcement action to bringing reduced charges, seeking lighter sanctions, or including mitigating language in documents [used] to announce and resolve enforcement actions.”
In practice, self-reporting has become a requirement if a company is to have any hope of avoiding an enforcement action or civil penalty. As discussed later in this alert, the Commission’s failure to adequately explain the ways in which the existence, timing, and type of a whistleblower report will impact a company’s ability to claim credit for self-reporting (and what benefits will flow from that self-report) may push companies to one of two extremes—causing companies to hastily self-report even the most minor of concerns to the Commission staff, or causing companies to avoid self-reporting altogether.
Yet the Commission’s failure to address these questions goes much further and calls into question the viability of certain of the Commission’s cooperation initiatives announced in early 2010. Under these initiatives, the Commission has sought to motivate and reward cooperation by allowing cases to be resolved outside of enforcement proceedings, through settlements in non-prosecution (“NPAs”) and deferred-prosecution agreements (“DPAs”). In its late 2010 announcement of its first NPA—with Carters, Inc. in a financial fraud case with no monetary penalty—the Commission highlighted Carter’s “prompt and complete self-reporting.” SEC Press Rel. 2010-252 (Dec. 20, 2010). Similarly, in the Commission announcement in mid-May of this year of its first DPA—with Tenaris S.A. (“Tenaris”) in a Foreign Corrupt Practices Act (“FCPA”) case—the Director of the SEC’s Division of Enforcement highlighted “[t]he company’s immediate self-reporting” as a factor determining the outcome. SEC Press Rel. 2011-112 (May 17, 2011). Whether either a NPA or a DPA is possible in the event a whistleblower is first to the Commission’s or company’s door is nowhere addressed in the Commission’s Issuing Release.
After reviewing the Tenaris case, we will return to the whistleblower Final Rule, discussing both the contours of the Final Rule and exploring its likely impact in the current enforcement environment, particularly in the FCPA area.
SEC Announces First DPA, in an FCPA Case with Tenaris
On May 17, 2011, the Commission announced that it had entered into a DPA with Tenaris, a Luxembourg-based global supplier of steel tubes and related services whose shares are traded on the New York Stock Exchange. This is the first DPA entered into by the Commission since its early 2010 announcement that DPAs would be available to incentivize and reward cooperation. Under the DPA, the Commission agreed to forgo filing a civil action against Tenaris for violations of the anti-bribery and accounting (internal controls and books and records) provisions of the FCPA in connection with its business activities in Uzbekistan in 2006 and 2007, provided that Tenaris complies with the terms and conditions of the two-year DPA.
Under the terms of the DPA, Tenaris agreed to pay $5.4 million in disgorgement and interest to the Commission, and to pay a $3.5 million criminal penalty under a separate two-year non-prosecution agreement entered into with the US Department of Justice (“DoJ”). Tenaris also agreed to further cooperate with the ongoing Commission investigation and to report any informal or formal complaint against Tenaris relating to any anti-bribery or securities law, regulation, or rule. Tenaris further agreed to implement due diligence requirements related to the retention and payment of agents; to carry out annual reviews of its compliance program; to secure periodic certifications of compliance with its Code of Conduct by directors, officers, and management; and to carry out “effective” anti-corruption training of personnel whose activities are relevant to FCPA compliance.
Alleged Bribery in Uzbekistan
The DPA (at ¶¶ 6d-y) highlighted a scheme under which Tenaris made payments to an agent in connection with efforts to win business from the Uzbekistan state oil company. Tenaris agreed to pay an agent in Uzbekistan a 3.5% commission after the agent provided confidential bid information from officials of the state enterprise. (The extent of due diligence on the agent was not described by the Commission.) Based in part on the information provided by the agent, the company was able to fashion its bids and win several contracts. The DPA alleges that the company “understood” that a portion of funds would be paid to officials at the state enterprise subsidiary. The DPA does not cite conduct by a person while within the United States; instead, it states that Tenaris paid the agent “through an intermediary bank” in New York. (E-mails from company sales personnel further indicated an alleged agreement to pay Uzbek officials to prevent an investigation of the leaking of confidential bid information.) Based on the foregoing, the DPA referred to alleged violations of the anti-bribery and accounting provisions of the FCPA.
Tenaris’ Response to Reports of Wrongdoing, and Implications of the SEC DPA
According to the DPA and Tenaris’ disclosures, in March 2009, the company received a report from a customer in Central Asia that a sales agent may have made improper payments to customer employees. DPA ¶ 6z; Tenaris Form 6-K (May 7, 2011). The company’s Audit Committee commissioned an internal investigation, which included a worldwide review of its internal control system. The company made a disclosure to the Commission and the DoJ. See DPA ¶¶ 6z-bb. The DPA (¶ 6bb) characterized this disclosure as “timely, voluntary, and complete.”
The resolution with Tenaris highlights several features of DPAs that may make them an attractive tool for companies seeking to resolve FCPA matters with the SEC on favorable terms. Most significantly, the DPA can carry a lesser “stigma” than an administrative or judicial action. A company with a DPA can report that it has not been subject to an “enforcement action.” Unlike in an administrative or judicial action, with a DPA there is no cease-and-desist order or injunction associated with a resolution. This reduces the stakes in the event that the company faces enforcement action in the future. In Tenaris, the company did agree, however, to refrain from violating the securities laws for the two-year term of the DPA. See id. ¶ 7a. Also, the SEC DPA in Tenaris, like Commission judicial and administrative actions, was settled on a “no admit or deny” basis. Tenaris was not required to admit the allegations in the DPA, which may allow it to preserve defenses in a collateral civil action, such as a shareholder derivative suit. A “no admission” DPA also may decrease the chances that companies doing business with governments or in projects funded by international financial institutions would face cross-debarment based upon the DPA. This feature of the SEC’s first DPA stands in contrast with DPAs entered into with the DoJ, which generally require the defendant to admit to a statement of facts filed with the court and which cannot be contested even in collateral proceedings.
At the same time, however, DPAs may be a device to further ratchet up compliance expectations on companies. Not only can the DPA be used to impose detailed compliance program expectations (such as compliance training obligations specified in the Tenaris DPA), but the availability of a DPA also could increase the number of Commission cases, including FCPA cases. Whereas the Commission may not previously have taken an enforcement action in a given case, Commission staff now can seek a DPA. In so doing, the Commission could avoid potential litigation risks over its legal theory or its jurisdictional theory. For example, the Tenaris DPA does not establish the basis for the Commission allegation that Tenaris “understood” that a pass-through payment would be made to an official from a commission of merely 3.5%. The Tenaris DPA also does not clearly establish a purposeful use of interstate commerce within the United States, beyond the alleged routing of a payment through a US account (which may have been merely an inter-bank clearing account for US dollar transactions). By resolving the case through a DPA, the Commission is able to avoid scrutiny of these aspects of the case.
Less Restrictive Eligibility Criteria
Under the Final Rule, the Commission is required to grant a whistleblower award to an individual who voluntarily provides original information to the Commission leading to successful Commission enforcement action in which total monetary sanctions exceed $1 million. These overall criteria have not changed since the Proposed Rule. (For background on the Proposed Rule, see Steptoe Alert .) The Final Rule does, however, make significant changes to how some of these eligibility criteria are defined and interpreted. Virtually all of these changes tend to broaden the universe of reports that may be eligible for a whistleblower award:
- Broader definition of “voluntary” report. Under Rule 21F-4(a), a report is voluntary if it is submitted before a government request, inquiry, or demand is directed to the individual or his representative. Thus, unlike the Proposed Rule, if a request is made to the employer and the employer interviews or obtains documents from the individual, the individual can still satisfy the “voluntary” standard under the rule. Similarly, an employee is not rendered ineligible on the basis of the “voluntary” standard if a company interviews the employee in an internal investigation where no government requests have been made. In both instances, the employee will still need to satisfy other eligibility criteria which the SEC believes will be difficult to do where the only source of original information is an existing investigation or proceeding, the information was obtained from an “excluded person” under Rule 21F-4(b)(4)(vi), or in a privileged communication (see the Issuing Release at 31, 36, 43, 83, 139, and n. 73).
- Longer “look back” period for reports that are initially made internally. As under the Proposed Rule, Rule 21F-4(b)(7) provides that the date of the whistleblower’s report to the Commission can be deemed to be the date of their earlier internal report. Under the Final Rule, though, the look back is 120 days (30 days longer than in the Proposed Rule). This “look back” provision ensures that individuals who elect to report internally and wait up to 120 days before going to the Commission are not penalized for making a late or delayed report to the Commission. While such an additional 30 days may not materially change a whistleblower’s incentives to report internally, the Commission made this revision to provide companies with additional time to get their arms around a matter and report it to the Commission in instances where it already has been reported internally.
- Broader standard of what type of report is deemed to “lead to an enforcement action.” The standards for when a report meets the statutory criteria (of leading to an enforcement action) are broader under the Final Rule than under the Proposed Rule. Under Rule 21F-4(c), the following three types of reports by eligible individuals are eligible for an award in a case where monetary sanctions exceed $1 million:
- Trigger of investigation. The first type of eligible report is a report that is specific, credible, and timely, and triggers the opening or reopening of an investigation leading to a successful enforcement action based at least in part on the conduct identified in the report. In the Proposed Rule, the report had to have “significantly contributed” to the success of the action;
- Significant contributor to ongoing investigation. The second type of eligible report is a report provided in an ongoing investigation that “significantly contributed” to a successful enforcement action. In the Proposed Rule, the report had to be “essential” to the success of the action; or
- Internal report contemporaneous with, or followed by, report to the Commission. The third type of eligible report is one made through an entity’s internal whistleblower, legal, or internal compliance function, provided that the company initiates an internal investigation in whole or in part based upon that report, the company reports to the Commission, the company report satisfies either of the foregoing conditions in (1) or (2), and the individual still reports to the Commission within 120 days of the internal report. This third type of report was not covered in the Proposed Rule and would allow the Commission to determine the value of the whistleblower’s tip by looking at the overall value to the Commission of the internal investigation by the company.
- Clarification of type of information that can be eligible for an award. A whistleblower is now explicitly defined in Rule 21F-2(a)(1) as someone who reports information to the Commission that “relates to a possible violation of the federal securities laws … that has occurred, is ongoing, or is about to occur.” In at least one respect, this standard may be broader than the “potential violation” standard in the Proposed Rule. By referring to a possible violation that is “about to occur,” the Final Rule explicitly allows awards for reporting even when a violation has not even happened yet.
- Aggregation of sanctions in related actions to reach $1 million threshold. Under Rule 21F-4(d)(2), multiple Commission actions can be aggregated for purposes of determining whether the $1 million threshold for granting whistleblower awards has been met. This change from the Proposed Rule (which would have required $1 million in a single action) will make whistleblower awards available in more cases.
Broadening of exceptions for reporting by certain compliance, legal, and auditing personnel. The Final Rule maintains a division between persons categorically excluded from eligibility for a whistleblower award (including, but not limited to, US government officials, foreign officials, auditors engaged in an audit of an issuer’s financial statement, and persons criminally convicted for the reported conduct), and persons who are generally excluded from being eligible, with certain exceptions, because their information is not viewed as derived from “independent knowledge or analysis” (and therefore is not “original information” under the Final Rule). See Rule 21F-4(b)(4). Persons in the latter group include attorneys and others who learn information subject to the attorney-client privilege that cannot be disclosed under applicable rules. It also includes, unless an exception applies, officers and directors who are informed of misconduct or learn about it in connection with a company’s compliance system, compliance and internal audit personnel, as well as employees of outside firms that are retained to perform compliance or audit work for an entity or are retained to conduct an inquiry or investigation into possible violations of the law. For this group, the exceptions in Rule 21F-4(b)(4)(v) have been clarified in the Final Rule to include the following situations:
- The individual has a “reasonable basis” to believe disclosure is “necessary to prevent … conduct likely to cause substantial injury to the financial interests or property of the entity or investors.” This exception was not included in the Proposed Rule and represents a significant expansion of the eligibility standards;
- The individual has a “reasonable basis” to believe that the entity is “engaging in conduct that will impede an investigation of the misconduct,” which the Issuing Release describes as including destroying documents or influencing witnesses. The Proposed Rule had referred to conduct that constituted “bad faith;” or
- At least 120 days have elapsed since the information was brought to the attention of the pertinent compliance or management personnel. The Proposed Rule had simply referred to an “unreasonable delay” in corporate self-reporting.
Whistleblower’s Role in Internal Compliance Process Now Must Be Considered When Determining the Amount of an Award
Under Rule 21F-6, the Commission’s determination of where within the 10% to 30% range an award will fall remains largely unchanged, and continues to include analysis of the extent of the whistleblower’s culpability in the underlying conduct. Under the Final Rule, however, the Commission is required to take into account the whistleblower’s conduct vis-à-vis the internal compliance process by considering the following factors when determining the amount of an award. Some of these factors seem designed to encourage initial reporting to the company:
- Factor that increases the amount of an award: (1) “Participation in internal compliance systems,” including reporting internally in advance of or contemporaneous with a report to the Commission and assistance with the internal investigation; and (2) the timeliness of a whistleblower’s report to the Commission or the entity.
- Factors that decrease the amount of an award: (1) “Unreasonable reporting delay” by the whistleblower, such as failing to take steps to prevent, as well as waiting until there is an investigation; and (2) “Interference with internal compliance and reporting” by the whistleblower, such as steps to prevent or delay detection or lying to investigators.
Prohibition Against Impeding Communications with the Commission, Including Enforcing Corporate Confidentiality Agreements
As under the Proposed Rule, Rule 21F-17(a) prohibits “impeding” an individual from communicating with the Commission, including by “enforcing, or threatening to enforce, a confidentiality agreement.” As under the Proposed Rule, Rule 21F-17(b) also provides that the staff is “authorized” to communicate with a whistleblower who is a director, officer, or employee of the company, without obtaining consent of company counsel.
Potential Impact of the Whistleblower Rule on Compliance Programs and the Ability of Companies to Obtain Credit for Self-Reporting
Impact on ability of companies to detect wrongdoing
- Final Rule continues to pose an overall disincentive to internal reporting. Whistleblowers may believe that the chance of an enforcement “action” (which the Final Rule states is “generally” defined as a “single captioned judicial or administrative action”) is higher if they bypass internal processes. The Tenaris case provides a useful example. That case arose when the customer in Central Asia reported the matter to the company (spurring the investigation and disclosure). Under the Final Rule, customers in these circumstances now may be incentivized to disclose directly to Commission. If that had occurred in Tenaris, there is real question as to whether the company would have qualified for a DPA, as its ability to discover the problem, and thus self-report, presumably would have been compromised. The most the Commission said about this issue in the Issuing Release is that it anticipates that, in appropriate cases, upon receiving a whistleblower complaint, it will contact the company and give it the opportunity to investigate the matter and report back. The company’s actions thereafter will be evaluated against the Seaboard factors. See Issuing Release at 92.
- Certain features of the Final Rule may preserve some level of internal reporting Internal reports can increase the amount of an award. A whistleblower’s participation in internal compliance processes is now an explicit factor that the Commission must consider in determining the amount of the award (whereas before it was only mentioned in the proposing release as an optional factor to consider). This slightly strengthens the potential for an increased award amount based on internal reporting. Internal reports can increase the chance of eligibility. Because individuals can recover a bounty based on an internal report that the company develops and reports to the Commission, this may incentivize some individuals to file internal reports. In so doing, provided that they report the information to the Commission within 120 days, they may be able to get credit (a) based upon an internal report that would not, by itself, have qualified for an award or (b) for the entire penalty for a larger problem that they did not even know about.
Impact on corporate internal investigations of, and response to, wrongdoing
- Potential increased leverage to secure cooperation of certain employees in internal investigations. As noted above, when determining the amount of an award to an individual, the Commission must consider the extent to which the individual interfered with internal compliance processes. This creates at least some increased incentive to cooperate with internal investigations, insofar as a witness intends to file a whistleblower report and is interested in maximizing the amount of the potential award.
- Non-waivable whistleblower protections may be enforced by the Commission, and potentially could cover employees who make internal reports without filing a report with the Commission. The Act (§ 929A codifying Exchg. Act § 21F(h)) afforded individuals who report information to the Commission, including employees of foreign affiliates of an issuer, increased protection against retaliation by the employer, including a right to file a civil action. In the view of the Commission, these protections cannot be waived. See Issuing Release at 19-20. The Commission also states that it has authority to enforce these protections (thus there is a now an additional potential basis for company exposure to the Commission). Id. at 18. In addition, Rule 21F-2(b) clarifies that the protections are triggered by the whistleblower’s report, even if the report does not lead to an enforcement action.
Impact on corporate self-reporting
As noted above, the Final Rule creates incentives for self-reporting that push companies in competing directions—on the one hand, to report earlier and even prematurely; while, on the other hand, potentially disincentivizing them to self-report at all. These competing dynamics arise for the following reasons:
- Incentive for early, even premature, corporate disclosures remains. Although the Final Rule extended the tolling period for a whistleblower to go to the Commission after making a voluntary internal report from 90 days to 120 days, it is unlikely this extension will meaningfully afford a company sufficient time to adequately and appropriately gather evidence and make reasoned judgments about complex factual and legal issues, especially in the FCPA area. Also, by suggesting greater “leniency” will be given to companies that promptly self-report following receipt of an internal whistleblower report, and by indicating such companies may be allowed to perform their own investigations before the staff decides its own investigative course, it is clear the Commission is trying to create incentives for companies to self-report soon after they receive an internal report. In addition, certain control/compliance personnel, as noted above, also remain able to become eligible to file a report (after 120 days, or even before, such as when the individual reasonably believes there will be a “substantial injury to investors,” or that the investigation will be impeded). These dynamics, as well as others, place further pressure on corporations to prematurely self-report.
- Disincentive to self-reporting created by potential for reduced cooperation credit when a whistleblower beat the company to the door. The Commission may not view a corporate self-report as being early enough, voluntary, or complete under the Seaboard factors if the Commission already has received a confidential whistleblower report of which the company is not aware. This could affect a company’s eligibility for more favorable resolutions (no charges, NPA, DPA), lesser charges (accounting violations or a charge not based on Section 10(b) of the Exchange Act), or lesser penalties. Thus, without further clarification, some companies may decide to err against self-reporting, particularly where a problem is discovered that has been going on for some time and there is a meaningful possibility that the problem already has been the subject of a whistleblower report to the Commission.
Tension between NPA/DPA outcomes and whistleblower award eligibility
- For a whistleblower to obtain an award there must be an enforcement “action.” The rule defines an “action” “generally” as a “single captioned judicial or administrative action.” Neither a NPA nor a DPA would appear to meet this definition and the Issuing Release does not address the issue. Plainly stated, in order to maintain existing incentives for cooperation, the Commission will need to ensure that corporations are not charged in civil injunctive actions or administrative cease-and-desist proceedings (and therefore denied a NPA or DPA outcome they would otherwise deserve) in order to preserve a whistleblower’s eligibility for an award.
Need for clarification of how Seaboard factors will be applied in whistleblower cases
The Seaboard factors were devised at a time when strong whistleblower incentives did not exist. Over the years, self-reporting achieved heightened prominence and essentially became a requirement for a company to avoid an enforcement action or achieve a no-penalty outcome. The whistleblower rules predictably may reduce internal reports, nullifying the ability of companies to truly self-report. To account for this reality, the Commission either should rebalance the Seaboard criteria, or else make clear that regardless of the whether a whistleblower makes an internal report or goes directly to the SEC, a company can still avoid an enforcement action. The Commission also should expressly state that where the whistleblower has gone directly to the SEC, a company can still obtain a reduced penalty or no-sanction outcome.
- The Commission could state that when a whistleblower reports only to the Commission, it will only consider the company’s remediation and cooperation efforts in deciding whether to afford the company an outcome without charges or a penalty. Such an approach would acknowledge that the ability of a company to make a prompt self-report is limited by the approach taken by the whistleblower.
- To continue to incentivize companies to maintain strong internal monitoring procedures, the Commission could announce that a company’s self-policing efforts will be credited even if they are not used in the particular case. This might mean that the Commission would examine a company’s compliance staff and the procedures they normally follow when they receive information about a securities violation.